--- samba-3.0.12pre1/source/web/swat.c.quoting	2005-03-01 17:36:37.000000000 -0500
+++ samba-3.0.12pre1/source/web/swat.c	2005-03-03 21:56:39.000000000 -0500
@@ -63,18 +63,49 @@
 	return(i);
 }
 
-static char *fix_backslash(const char *str)
+static void emit_as_html(const char *str, int double_slashes )
 {
-	static char newstring[1024];
-	char *p = newstring;
+	const char *p;
+	const char *todo;
 
+	p = str;
+	todo = NULL;
         while (*str) {
-                if (*str == '\\') {*p++ = '\\';*p++ = '\\';}
-                else *p++ = *str;
+                switch ( *str ) {
+		case '\\':
+			if ( double_slashes )
+			    todo = "\\\\";
+			break;
+		case '<':
+			todo = "&lt;";
+			break;
+
+		case '>':
+			todo = "&gt;";
+			break;
+
+		case '\"':
+			todo = "&quot;";
+			break;
+
+		case '&':
+			todo = "&amp;";
+			break;
+
+		default:
+			break;
+		}
+		if ( todo ) {
+		    if ( p != str )
+			fwrite ( p, 1, str - p, stdout );
+		    fputs ( todo, stdout );
+		    todo = NULL;
+		    p = str + 1;
+		}
                 ++str;
         }
-	*p = '\0';
-	return newstring;
+	if ( p != str )
+	    fwrite ( p, 1, str - p, stdout );
 }
 
 static char *stripspaceupper(const char *str)
@@ -195,6 +226,7 @@
 	int i;
 	void *ptr = parm->ptr;
 	char *utf8_s1, *utf8_s2;
+	char tmp[2];
 
 	if (parm->class == P_LOCAL && snum >= 0) {
 		ptr = lp_local_ptr(snum, ptr);
@@ -203,10 +235,18 @@
 	printf("<tr><td>%s</td><td>", get_parm_translated(stripspaceupper(parm->label), _("Help"), parm->label));
 	switch (parm->type) {
 	case P_CHAR:
-		printf("<input type=text size=2 name=\"parm_%s\" value=\"%c\">",
-		       make_parm_name(parm->label), *(char *)ptr);
-		printf("<input type=button value=\"%s\" onClick=\"swatform.parm_%s.value=\'%c\'\">",
-			_("Set Default"), make_parm_name(parm->label),(char)(parm->def.cvalue));
+		printf("<input type=text size=2 name=\"parm_%s\" value=\"", make_parm_name(parm->label) );
+		tmp[0] = *(char *)ptr;
+		tmp[1] = '\0';
+		emit_as_html ( tmp, 0 );
+		printf ( "\">" );
+
+		printf("<input type=button value=\"%s\" onClick=\"swatform.parm_%s.value=\'", 
+_("Set Default"), make_parm_name(parm->label) );
+		tmp[0] = (char)(parm->def.cvalue);
+		tmp[1] = '\0';
+		emit_as_html ( tmp, 1 );
+		printf ( "\'\">" );
 		break;
 
 	case P_LIST:
@@ -215,15 +255,16 @@
 		if ((char ***)ptr && *(char ***)ptr && **(char ***)ptr) {
 			char **list = *(char ***)ptr;
 			for (;*list;list++) {
+				push_utf8_allocate(&utf8_s1, *list);
+				push_utf8_allocate(&utf8_s2, ((*(list+1))?", ":""));
 				/* enclose in quotes if the string contains a space */
 				if ( strchr_m(*list, ' ') ) {
-					push_utf8_allocate(&utf8_s1, *list);
-					push_utf8_allocate(&utf8_s2, ((*(list+1))?", ":""));
-					printf("&quot%s&quot%s", utf8_s1, utf8_s2);
+					printf("&quot;" );
+					emit_as_html ( utf8_s1, 0 );
+					printf ( "&quot;%s", utf8_s2);
 				} else {
-					push_utf8_allocate(&utf8_s1, *list);
-					push_utf8_allocate(&utf8_s2, ((*(list+1))?", ":""));
-					printf("%s%s", utf8_s1, utf8_s2);
+					emit_as_html ( utf8_s1, 0 );
+					printf("%s", utf8_s2);
 				}
 				SAFE_FREE(utf8_s1);
 				SAFE_FREE(utf8_s2);
@@ -236,10 +277,14 @@
 			char **list = (char **)(parm->def.lvalue);
 			for (; *list; list++) {
 				/* enclose in quotes if the string contains a space */
-				if ( strchr_m(*list, ' ') ) 
-					printf("&quot%s&quot%s", *list, ((*(list+1))?", ":""));
-				else
-					printf("%s%s", *list, ((*(list+1))?", ":""));
+				if ( strchr_m(*list, ' ') ) {
+					printf("&quot;");
+					emit_as_html( *list, 1 );
+					printf ( "&quot;%s", ((*(list+1))?", ":""));
+				} else {
+					emit_as_html ( *list, 1 );
+					printf("%s", ((*(list+1))?", ":""));
+				}
 			}
 		}
 		printf("\'\">");
@@ -248,21 +293,26 @@
 	case P_STRING:
 	case P_USTRING:
 		push_utf8_allocate(&utf8_s1, *(char **)ptr);
-		printf("<input type=text size=40 name=\"parm_%s\" value=\"%s\">",
-		       make_parm_name(parm->label), utf8_s1);
+		printf("<input type=text size=40 name=\"parm_%s\" value=\"", make_parm_name(parm->label) );
+		emit_as_html ( utf8_s1, 0 );
+		printf ( "\">" );
 		SAFE_FREE(utf8_s1);
-		printf("<input type=button value=\"%s\" onClick=\"swatform.parm_%s.value=\'%s\'\">",
-			_("Set Default"), make_parm_name(parm->label),fix_backslash((char *)(parm->def.svalue)));
+		printf("<input type=button value=\"%s\" onClick=\"swatform.parm_%s.value=\'",
+			_("Set Default"), make_parm_name(parm->label) );
+		emit_as_html ( (char *)(parm->def.svalue), 1 );
+		printf ( "\'\">" );
 		break;
 
 	case P_GSTRING:
 	case P_UGSTRING:
 		push_utf8_allocate(&utf8_s1, (char *)ptr);
-		printf("<input type=text size=40 name=\"parm_%s\" value=\"%s\">",
-		       make_parm_name(parm->label), utf8_s1);
+		printf("<input type=text size=40 name=\"parm_%s\" value=\"", make_parm_name(parm->label) );
+		emit_as_html ( utf8_s1, 0 );
+		printf ( "\">" );
 		SAFE_FREE(utf8_s1);
-		printf("<input type=button value=\"%s\" onClick=\"swatform.parm_%s.value=\'%s\'\">",
-			_("Set Default"), make_parm_name(parm->label),fix_backslash((char *)(parm->def.svalue)));
+		printf("<input type=button value=\"%s\" onClick=\"swatform.parm_%s.value=\'", _("Set Default"), make_parm_name(parm->label) );
+		emit_as_html ( (char *)(parm->def.svalue), 1 );
+		printf ( "\'\">" );
 		break;
 
 	case P_BOOL: